@tepid hornet fight me 
#koth
nova tide
ornate token
What's with the port 61432? mentats
patent forge
i think that's not min
nova tide
What's with the port 61432? mentats
@ornate token node service moved to that one
patent forge
mine* @ornate token
nova tide
instead of 3000
stiff egret
Downvote all you want, I'll get that nitro and spam you with this pepesaber.
ornate token
I see... no response from it xd
tepid hornet
@tepid hornet π
@nova tide osint
stiff egret
@nova tide
nova tide
I see... no response from it xd
@ornate token try port 65531
patent forge
we can do another one if you all want
ornate token
Nothing
I'd enjoy another game :D
patent forge
@ornate token is random room ok to you?
ornate token
Ye, I'm familiar with none of them so Β―_(γ)_/Β―
stiff egret
dont make hackers.
patent forge
when will hackers be removed?
nova tide
??
stiff egret
Lmao, why would it be?
nova tide
why it is going to be removed?
stiff egret
It's one of the only epic machines
patent forge
isn't there something like a monthly rotation?
stiff egret
Ah, no, they will keeping adding to them.
stiff egret
So after one point people will not be able to keep specific notes for every machine
except for those playing from the beginning
ornate token
patent forge
@nova tide fortuna pass has been changed?
nova tide
yeah
nova tide
yeah
patent forge
any hint?
ornate token
Ye, idk what to do with it
patent forge
what? base64?
ornate token
Ye
patent forge
that has already patched but
look for "file signature"
you get something pretty strange decoding that base64
patent forge
np
that's a nice way in, I liked that
but @nova tide already changed that password π’
ornate token
ornate token
He's rlly playing r6 xd`
And he's winning 
patent forge
that's how it works when someone knows how KOTHs works
did you find something else?
i know the nfs and base64 ways
ornate token
Aside from that port, nothing
patent forge
i'm feeling dumb
gobuster found nothing
is there any port upper than 10000? @nova tide
i can't do -p- scans because my internet is so slow...
nova tide
well i just somewhat patched the way coz gobuster won't find the directory
nova tide
so all the 4 methods ik are already patched π€·ββοΈ
patent forge
well GG hahah
nova tide
even if you get in, all the privescs are patched.
even you privesc my king loop is running.
patent forge
i think it's pretty much useless unless there is no way in
ornate token
Let's reset x)
I was joking, but k
nova tide
yeah reset and try finding that third way in.
imma get some sleep. just registered for summers
patent forge
well good night π
nova tide
well its 04:15pm π€·ββοΈ
ornate token
Cya!
nova tide
cya
patent forge
@ornate token reset?
ornate token
Yeah, still stuck
ornate token
Ye, cyberchef did the job but searched anyway. Further on idk
patent forge
you are getting something like ..PK.. ..... from base64
ornate token
Yes, cyberchef detected the file
ornate token
You can dm anytime, I'll try harder a bit more bfore giving up
limpid coyote
first time I ll play KOTH
patent forge
anyone up for a koth?
craggy wave
yeah
visual spire
hello
quiet schooner
@forest bobcat false
forest bobcat
why?
quiet schooner
The shell is a file on the box
forest bobcat
my terminal got breaked with random stuff
quiet schooner
Still applies
quiet schooner
Attacks to your machine are not allowed
forest bobcat
ok
quiet schooner
Spamming shells that you have on the box is allowed
quiet schooner
Take a minute to read the rules
forest bobcat
ok thx sir
quiet schooner
Please don't address me as sir.
visual spire
lol
forest bobcat
hey?
wooden grove
need help regarding koth here... i am connected to the vpn and can ping the box ip, but cannot access it via browser or run an nmap on it or anything.. Does this happen when it is under load or something?
fair adder
i confirm you from my side is ok... able to connect and interact with the machine
wooden grove
i am though.. tried killing openvpn and reconnecting but that doesn't fix it..
kindly note that i am able to ping the ip though..
quiet schooner
Stuff that relies on your network connection to the box
Your network connection to the box is your VPN
glossy fiber
did you get the root
wooden grove
checked my internet and my connection.. it's all ok..
visual spire
why when i go to ip/wordpress/wp-admin in panda machine it doesn't work
hi
can any one help
crisp siren
@visual spire try to add the ip address to /etc/hosts and call it panda.thm
by the way, does anybody know how to access another user's terminal when you have root?
somebody wrote exit on my terminal and Im wondering how
i would greatly appreciate anybody's help! π
real crescent
your terminal is linked to a pseudo-terminal (pty) and as almost everything else on Unix-like OS, it is available as a file
namely /dev/ptyX
also, your shell has your stdin available as file descriptor 0, available in /proc/<SHELL PID>/fd/0
crisp siren
thank you so much!
real crescent
welcome π
stiff egret
(google for how to get reverse shells using wordpress)
crisp siren
you can edit the 404.php in themes editor to execute a php reverse shell
but there are many different ways
visual spire
thanks
crisp siren
youre welcome!
west sky
anybody wanna play koth with me
forest bobcat
anyone here?
patent forge
Anyone up?
forest bobcat
anyone up????
sturdy plank
lol
forest bobcat
KOTH play???
serene bay
In KOTH is there any other way of checking others tty other than who -u
forest bobcat
is other koth players are in active in current game?
I need to check it
No one submitted any flags there
nova tide
In KOTH is there any other way of checking others tty other than
who -u
@serene bayps aux | grep pts
Orw
remote lodge
hello there! im new here and i would like to spectate someone play kotk as i find it really interesting, can someone send the spectate link here if somone is going to play ?
zinc furnace
@visual spire you can try to exploit wordpress installed plugins
many plugins are vulnerable
visual spire
yes
gusty rapids
@patent forge Haha gg you're trash
patent forge
@gusty rapids yep
patent forge
or maybe you can't even read a linpeas output properly?
i've patched 3 suid, nothing else π
glossy vessel
gusty cradle
π
patent forge
@glossy vessel imagine crying for luck parameter and suid patches (i didn't even touch the luckyshell) on fortune
patent forge
that's the point
@patent forge Haha gg you're trash
@gusty rapids but this is not learning.
you could ask for a hint @gusty rapids
gusty rapids
haha
patent forge
what a kid..
gusty rapids
i will
glossy vessel
yeah
you're trash
that's not acceptable
gusty rapids
ah nah he played well , not an insult
quiet schooner
Please keep it civil though.
gusty rapids
relax guys i just say gg @patent forge and trash not in the bad way , sorry if it hurts someone !
patent forge
why are you all asking to reset the machine? we did that like 8 minutes ago...
shell snow
Didnt even see we had a reset
gusty rapids
same
tropic dew
guys wtf stop resetting pls
patent forge
my gosh.......
livid dagger
well, now we know when we play against you what the root password is
tropic dew
this make no sense
livid dagger
lol
tropic dew
you can't stand loosing
patent forge
@livid dagger yep, common user is yormoma
livid dagger
lol
patent forge
if you find that, that's me β€οΈ
livid dagger
π
https://tryhackme.com/games/koth/8303 - Whoever is wanting to continue, there is still one vuln left open
just saying for if you want to defeat me
patent forge
to let me try finding the last vuln β€οΈ
stiff egret
Which machine?
stiff egret
Ah, ATB.
zinc furnace
@stiff egret @livid dagger this is the only problem with space jam
there is only one hole
gusty rapids
port 3000
zinc furnace
who so ever will patch that method will win
patent forge
@livid dagger has it something to do with carrots? π
zinc furnace
yef node js
livid dagger
carrots?! that made me laugh sorry
stiff egret
there is only one hole
@zinc furnace There are multiple methods in the box.
livid dagger
no, nothing to do with carrots
patent forge
carrots?! that made me laugh sorry
@livid dagger /local
livid dagger
@zinc furnace No, there are at least that I have been able to figure out, 2
don't know what you mean
DM me if you have to
stiff egret
There are 3 methods in the box, I think.
gusty rapids
the telnet is vulnerable ?
stiff egret
π€¨ Maybe
patent forge
@stiff egret carrots? π₯
stiff egret
π€
stiff egret
Actually I am not playing rn, solving some box. So, I don't know If I'll be able to help much. Anyway, I can try π
nova tide
@formal kindle that's a spectators link. click on "Options" from top right corner and copy the invitation link
shell snow
@patent forge hahaha nice man
patent forge
β€οΈ
shell snow
that was actually fun
patent forge
we have 20 minutes left
formal kindle
link ?
shell snow
Im not too good on the protecting bit lol
formal kindle
me too
patent forge
me either
formal kindle
is there anything on that side ?
formal kindle
like blog or video
patent forge
when you changed the king i gave you some time before killing everything
shell snow
hahaha
patent forge
@formal kindle there is the link up there
https://tryhackme.com/games/koth/join/3fb9f54c22cd58122969c35c
@patent forge -
formal kindle
?
patent forge
nothing patched, just moved stuff π
formal kindle
lol
patent forge
nope
upload still working
and someone else patched ssh key
before i actually write my "sign" into the txt file
patent forge
gg guys, I have to leave, nothing patched by me except from gdb which has moved to gdb2 keeping SUID capatibilies
gusty rapids
i use gdb2 but i loose my shell and someone patch shrek ssh private key π¦
inland sluice
how rude
wary jolt
Its not rude. Its called competition
visual spire
hi
visual spire
GG
patent forge
Anyone up rn? π
fair adder
@sturdy plank did you patch everything alredy ?
patent forge
i think he is just killing all pts
sturdy plank
@sturdy plank did you patch everything alredy ?
@fair adder yes
except ftp anonymous login
patent forge
what's the point of playing like this? π’
fair adder
there is no point tbh
patent forge
Elf do you know something about the port 9002
fair adder
let me see
patent forge
telnet that
you get a limited shell
but if you write more than some characters you get a "segfault"
fair adder
yeah i se
patent forge
doing a echo $(ls) i'm getting "koth" as file
i cannot do "pwd" because of segfault
patent forge
echo $(id)
stable narwhal
@patent forge those commands do not need to be wrapped in an echo command π
patent forge
of course i know
sturdy plank
i changed permission
patent forge
we are in a shell which doesn't give output
sturdy plank
so i dont think u can use any command except cd
patent forge
so i have to echo that
grand ember
if the limit on the command was 1 char longer i would be able to make a script to execute whatever you want via that port
sturdy plank
why u guys reset
grand ember
could you pass me the IP? π
patent forge
because you fucked the machine β€οΈ
fair adder
@sturdy plank what is the point of playing if you have automated scripts?
sturdy plank
i dont
fair adder
so you got in and manually patched everything in less then 3 mins ?
sturdy plank
so you got in and manually patched everything in less then 3 mins ?
@fair adder yes
fair adder
nah i give up i don't want to play vs ppl that have scritps
grand ember
i mean it's production so it's easy to patch everything
it's not like there are that many ways to root it
sturdy plank
ashu@10.10.20.38's password:```why this happening
nah i give up i don't want to play vs ppl that have scritps
@fair adder i dont
hardy jungle
Because you need a password for the account
grand ember
the key isn't there :)
fair adder
@sturdy plank and i thought that was you lmfao
full grove
or someone regenned keys
grand ember
yup
sturdy plank
key is here
full grove
or someone regenned keys
@full grove
sturdy plank
maybe
full grove
not maybe, yes, I can almost guarantee thats what happened
rm ~/.ssh/authorized_keys && ssh-keygen
sturdy plank
but nobody get king
so it should be a problem
restart???
ok
now someone get the king
but they against rule
grand ember
lmao
sturdy plank
they reseted the machine when i patched most of the things @grand ember
grand ember
and?
sturdy plank
u laught at wat??
grand ember
that's how most public games look lmao
sturdy plank
hmm
patent forge
Mr they patched one way
sturdy plank
i thought the admin add the rule that dont restart machine when the paths are patched
patent forge
and they are NOT killing all pts
so what's the point of this?
but they against rule
@sturdy plank
fair adder
if you can't even do anything
grand ember
i thought the admin add the rule that dont restart machine when the paths are patched
@sturdy plank lmao why would they, the reset is vote-based
patent forge
patching a id_rsa key is not cheating
grand ember
it's called hardening the system
sturdy plank
i didnt say its cheating
patent forge
i don't think so
remote lodge
patent forge
it's too easy to find
there is a root shell on the 9002
just trying to use that (i think i got the point)
grand ember
9002 is useful but to use it effectively you need to have a user shell in the first place
also oyu can just kill/stop 9001/9002
grand ember
there is but it's tricky to get it working
fair adder
is it bof?
grand ember
no
sturdy plank
WT*
patent forge
i was thinking to do something like e=$estuff
in a while loop, keeping it under the lenght limit
patent forge
trying to set a reverse shell command
sturdy plank
why people vote for reset while i patched all
the machine didnt destroy
or nothing happend to it
but they vote for reset
WT*
sturdy plank
ok any-way
patent forge
And I got kicked out immediately
sturdy plank
why people reset while the machine didnt destroy
patent forge
That was a problem, not the ssh key
sturdy plank
or nothing happend to it
patent forge
Have to wait 1 minute
forest bobcat
I waited about 5 mins now
patent forge
So you are not king
forest bobcat
yeah i know but i think the service is corrupted
patent forge
Post a screenshot of catting king
fair adder
echo "slavkosmith" > king.txt
bash: king.txt: Operation not permitted```i hate carnage...
patent forge
chattr? @fair adder
fair adder
@patent forge it says chattr not found as a command
and i found it
and when i supply full path
it still doesn't work
this is pain
patent forge
no i was asking that because of the operation not permitted
grand ember
yes you can
you can get your name in there in two ways
one requires chattr and is effective
fair adder
it doesn't have chattr π
grand ember
one doesn't require chattr but may not work if someone is already in that file
then upload chattr duh
patent forge
anyone playing rn?
@fair adder can you helping me with installing chattr if someone uninstalled that?
grand ember
oof
if it's not a static version of chattr it might not work because of different lib versions on your os and the box
forest bobcat
anyone up?
grand ember
nah, i'm left
grand ember
wdym
fair adder
if it's not a static version of chattr it might not work because of different lib versions on your os and the box
grand ember
basically the version you normally have in /usr/bin or smth is a dynamically linked one
it might work but it's not 100%, it all depends on the linked libraries it has and if they are present on the box
that's why you'd usually upload a statically linked one
fair adder
yeah its a good point
patent forge
any hint on tyrell? (except from librenms)
sturdy plank
any hacker want to play koth??
patent forge
vm?
why is people voting for reset???
my god guys, nothing patched except from ssh key
there are more ways in.
if you reset i'm gonna patch it anyway
@visual spire are you playing now?
visual spire
yes
patent forge
π¦
visual spire
@patent forge seems you in again
patent forge
noope
didnt patched anything this time
and i also tryied a new way in
(check upload on port 80 and try common formats)
cobalt flower
some one patched it cuz i cant get the rsa to work
patent forge
there are other ways.
stop focusing on that
that is a simple vulnerability which gets immediatly patched when used
cobalt flower
lol i tried 3 that i know
patent forge
in this case, odestorm just removed authorized_keys
i used the upload form, and it worked.
cobalt flower
the upload page never worked for me
patent forge
it actually work
cobalt flower
upload what exactly π
patent forge
he is asking for an image
try some images format
gg for odestorm which patched the id_rsa after asking for reset because i did the same π
visual spire
i found another way for shrek
patent forge
telnet?
patent forge
another public one π https://tryhackme.com/games/koth/join/eea228a9313c9dbecaa25e75
inland sluice
Is patching id_rsa the equiv. of changing the locks on all the doors (Defeating the "Leave services available to the normal expected users of teh system" requirement?)
patent forge
Is patching id_rsa the equiv. of changing the locks on all the doors (Defeating the "Leave services available to the normal expected users of teh system" requirement?)
@inland sluice is there another way? so no.
stiff egret
No, you can clearly patch ssh by changing rsa-keys.
quiet schooner
When you change passwords or keys for a user, you'd give them the new key
stiff egret
I don't think that illegal(?)
terse willow
Changing keys is fine
Switching ports it fine
Changing the config to only accept keys is fine
stiff egret
When you change passwords or keys for a user, you'd give them the new key
@quiet schooner wdym?
patent forge
@stiff egret do you know something about lfi on lion 5555?
quiet schooner
There's a security breach, and your keys and passwords have been leaked. here's new ones @stiff egret
terse willow
The only thing that isn't fine is just shutting the whole thing down
inland sluice
Oh
terse willow
@quiet schooner?
quiet schooner
@terse willow DoS, allowed hosts etc
hardy jungle
Swear that's forbidden in the rules
terse willow
That falls under a different rule..
stiff egret
There's a security breach, and your keys and passwords have been leaked. here's new ones@stiff egret
@quiet schooner Why would I change them in first place, If I give it to them later?
terse willow
Eh, I reckon allowed hosts would be fine too, to be honest
quiet schooner
@stiff egret Real world situation, you change keys and then give the genuine users the new keys
terse willow
It's a real world thing
quiet schooner
@terse willow You're not allowed firewall rules, so that seems pretty similar to me
inland sluice
I'm just trying to understand what i can/cannot do re: koth, only done one of them so far
terse willow
Nothing to do with the firewall though, and if you've changed it to keybased authentication and changed the keys then you've already accomplished the same thing
quiet schooner
@stiff egret You don't give the attackers the new keys
stiff egret
π€¨
inland sluice
What about say .. doing privesc and enabling f2b on the host
terse willow
@stiff egret If there's been a breach, the IT department change the SSH keys. They give the new keys to the employees -- the genuine users of the system
quiet schooner
@inland sluice Can I ask if you've actually read the rules?
inland sluice
How is it different than hosts/changing the keys? As for reading the rules, I am. because i am evaluating your responses against said rules to determine the brown score
quiet schooner
...wat
terse willow
That's a point actually. @lusty portal can you clarify this in terms of KoTH rules -- are you allowed to bump up the security measures around SSH?
i.e. change the Allowed Hosts, add fail2ban, etc
lusty portal
I don't see why not?
terse willow
It's technically realistic
lusty portal
Its all about attacking and defending
terse willow
Yeah, that was my thought
quiet schooner
Although
lusty portal
As long as its not full on stopping the service
quiet schooner
Fail2ban updates firewall rules
terse willow
So, apologies @inland sluice, I was right with the hosts, and wrong with the f2b π
quiet schooner
Which are banned
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.``` @terse willowYeah hm. Once you're banned from talking to the host, its game over.
Will add to my list of things to discuss with Ashu and get back to you on that.
terse willow
I would say that it's one of those things that can end a game very quickly indeed
stiff egret
Isn't that almost equal to iptable ban?
inland sluice
So can changing a ssh key?
quiet schooner
Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services. Literally tells you to just enable key auth and not bother @terse willow
terse willow
So possibly shouldn't be allowed based on that
quiet schooner
@stiff egret it's a timed firewall rule, it's exactly equivalent
terse willow
I mean, yeah, there are definitely better ways James π
So can changing a ssh key?
@inland sluice Changing SSH keys is definitely fine π
stiff egret
π€·ββοΈ
inland sluice
re: changing keys is fine. is that because multiple vectors exist to obtain either the key, or to supress/change it?
terse willow
Each box has at least 3 entry points
Or should
I was told 4 for Fortune π€·ββοΈ
So, yes, that's the idea. Once you get in another way, you can change the SSH keys back
quiet schooner
re: changing keys is fine. is that because multiple vectors exist to obtain either the key, or to supress/change it?
@inland sluice Changing keys is fine, because that's a legitimate measure
terse willow
In the end, you're looking to do realistic stuff
inland sluice
the legitimate measure part confuses me,
quiet schooner
You're perfectly allowed to get on the box and patch all the vulns immediately
People will get mad and reset the box
But you can patch everything. But don't just drop heavyhanded firewall rules
Patch intelligently
Fix the actual issues, the logic flaws, the broken code, the exposed creds
terse willow
Basically, if you're doing something that would stop the box from functioning normally, then there's a problem. Think about it in a workplace environment -- if the box needs SSH, then SSH has to exist.
quiet schooner
@inland sluice There's also no such thing as a "brown score" π
inland sluice
@quiet schooner Sure there is.
inland sluice
It's a polite acronym for the opposite of an "it factor"
quiet schooner
I'm pretty sure you're making up terms now
terse willow
Be nice James π
terse willow
What do you mean by brown score @inland sluice? π
inland sluice
@quiet schooner "it factor" urban dictionairy, i didn't make it up
Bluntly, its could probably slip past a PG-13 censor, as long as it didn't also feature bikini's, death, violence, drugs, or any other adult themed content
Brown factor .. in this instance, brown is a synonym for a word that rhymes with "it"
quiet schooner
Sorry, but how does that relate to reading the KoTH rules? I should very much hope they don't contain violence, nudity or adult content
inland sluice
It does not. it has to do with anyone interpretation/explaining anything. It's the "Are they full of 'it' " comparison
Does anythign they say directly contradict the "rules" they are bringing up
Yes that's snippit, and yes i botched the snip initially with hi-liter
gusty cradle
Urban Dictionary is a joke
sonic belfry
My question for KotH is, should the defenses applied be realistic, as in used during Incident Response, or is further destructive and counter-productive measures allowed to fend of further intrusion?
quiet schooner
You shouldn't be doing anything destructive for the most part
gusty cradle
I think they have to be realistic, otherwise just use iptables and block all ips except your own π€
sonic belfry
I've never played it, but from what I can hear, is that it becomes more a game of defeating offense with better offense, rather than applying realistic defensive measures.
quiet schooner
It depends on who you're playing against
Because I just patch the box completely
Which makes it no fun for anyone else, and they spam resets
sonic belfry
Give points for proper realistic patching, would that be an idea to promote incentive to realistic defenses?
terse willow
Probably
But how the heck do you automate that? π€£
Be a bit difficult to determine what counts as "realistic patching" on the fly
quiet schooner
do old exploits work, is the service still up
I believe a few of the attack defence CTFs do this
sonic belfry
Yeah, probably through some probe script.
terse willow
So, basically, probe services to see if they're still up? Which is essentially health checks, no?
In that case, who gets the points? You'd need to be monitoring the bash history of each pts, in real time
sonic belfry
Sysmon π
terse willow
The only way I can see of to get it working would be to have a whitelist of "realistic" fixes for each service, submitted by the creator, which means you could potentially miss some
And even then you still have the problem of not knowing which user account to give the points to
stiff egret
imo, too much for a 1 hour game.
terse willow
Even if you could match a fix to a PTS, you then need to match it by account
Which is doable with IP, I suppose, but that's some serious scripting on every box to get it working π
Would be a great idea though
sonic belfry
Just use socat. π
terse willow
Socat fixes everything! π
inland sluice
But how the heck do you automate that? π€£
@terse willow apt-get update && apt-get upgrade? (yum -y update? )
one cmd patch
terse willow
To automate monitoring the logs to see which user applied a realistic defence?..
inland sluice
Umm .. send syslog somewhere else. add it to the "do not mess with this port" ip
Now filter on that host for reasonable/unreasonable
terse willow
Which is a good way to see a realistic defence being added, but you have no way to link it to which TryHackMe user made the defence π
inland sluice
Umm...sure ya do
terse willow
Uh, how?
inland sluice
When you connect to ovpn
your mac address and ip address are bound
If you think they aren't mining this info for something ... π
quiet schooner
terse willow
So, what, the IP address is going to be linked to the user account making the connection in the syslog?
Bear in mind, that's a syslog, for reference
terse willow
It'll tell you the user account that ran the command (and doesn't actually store every command either)
But doesn't link it to a PTS. Even with the PTS, you'd need to link that to an IP
Although you're right, we can link IPs to users π
There's a reason the King service works the way it does though -- by entering your exact THM username into a file on the machine
inland sluice
You can link a PTY To an ip
you can link an ip to a user.
You can link a cmd to a pty
terse willow
It's impossible to tell who's king without it
How do you intend to link a command to a pty in real time? π
(Serious question -- if there's an answer to it, then it could be great for Koth)
inland sluice
i do something very close to this w/ graylog
The query shows the sessions, and the users. as for the linking a cmd to pty. have you ever seen top (V) or ps -auxfw
there is already a chain for processes parent/child
terse willow
And where exactly is that getting monitored (and with whose resources)?
inland sluice
Do you mean where I am doing graylog? please be more direct
terse willow
No, the process list
inland sluice
ps auxfw example
terse willow
Which is great, when you're on the machine
inland sluice
That would have to be part of a nanny script.
terse willow
It would be easy to do if these were all dockerised
Thing is, they're full VMs
So you're gonna have to exfiltrate that list somewhere, in real time
inland sluice
Preferably encrypted
Yes, you will. you will have to set up a loghost
BUT chances are, such a thing already exists
so application -> syslog err -> syslog host
it could be err, info, whatever level you specify
apt-get install auditd
auditctl -a task,always
ausearch -i -sc execve
at a system level, to trap the input
I am pretty sure nesting only goes one way though, you cannot log TO a container from host.
but that wouldn't serve much purpose anyhow
.... Our windows systems generate 18GB/day / host π¦
noisy boxes
@terse willow If you are earnestly looking for a way to apply it to your vm infrastructure, i can offer to help you with a way to integrate it
It should not matter, if its host, guest, lxc, docker, vagrant or ansible .. it should apply just the same (see the post setup cmds pasted above)
terse willow
Could well be worth speaking to @lusty portal about that -- it would be him that needed to set it up at the site side to receive any information. Skidy, is this type of logging something that's possible for Koth?
inland sluice
Anything is possible. (If you can coherently describe what you are trying to do, you are over halfway to doing it) you are setting up a kernel level daemon to monitor syslog, and trap activity in it. I think a better question is, is it DESIRED
More on the auditd approach: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
fair adder
5 min food
please don't do patches im making notes for each room so i can sound like a pro
quiet schooner
Elf
fair adder
yes
quiet schooner
serene bay
@forest bobcat were you bro ?
forest bobcat
shit
forest bobcat
hey!
serene bay
stop making fake king.txt
serene bay
Public Game starting in 20
patent forge
@serene bay I just woke up, give me 5 minutes
Time for a coffee and a cigarette and Iβm there
serene bay
Yah I'll come later gotta finish some 100 episodes today π
patent forge
I NEED ANSWERS I DON'T NEED TO REST.
fair adder
well
i just rooted the box
@patent forge how does it feel when you can't do anything ?
patent forge
i'm working on 15065
remote lodge
Ν
patent forge
but it feels good if people are good π
fair adder
even if you get shell you can't do anything xD
patent forge
yep, but i'm learning something new
i'm a total beginner, i started studying like 2 months ago
i think that is pretty normal beeing keep closed out from people who just knows passwords
i had to scan, find the image, extract data then moving on mysql, guessing password and so on
of course if i've alredy known creds, you would be the one out π
fair adder
i dont know passwords π
patent forge
i'm talking about the other guy π
i had creds in 3 minutes, but he had already changed that
fair adder
jesus
patent forge
π
patent forge
wasn't everything patched?
even if you get shell you can't do anything xD
@fair adder
fair adder
it wasn't
i just locked everything up
yes
at that time
i was sitting and waiting for you to come
patent forge
now i'm waiting you β€οΈ
patent forge
pleeeeeease
fair adder
idk how you are better lol
used the cmd thing on port 15065
im 2 lazy to remind my self what its called smh
patent forge
yep i did, but it needs a bit of js knowledge
patent forge
so you need js knowledge to read the uri π
fair adder
eh ig
patent forge
yep, but the uri is obfuscated dude
patent forge
maybe yes hahah
fair adder
π
patent forge
(just nice competitivity, nothing against you)
i don't even know if i wrote "competitivity" right lol
patent forge
smh its alr you deserve to win anyway
@fair adder yep, you are right XDD
found every way on this machine before getting in
serene bay
Tyler's ssh is borken
fair adder
tyler
serene bay
BeenReset thrice still so slow
serene bay
wdym ?
fair adder
oh jesus you dont know π
serene bay
ah i was thinking something else π€£
fair adder
yeah tyler is preety easy
i used to think its hard until i tried it on my own
like without anybody
not very hard.
serene bay
it just needs your name in there then boom
fair adder
yep π
serene bay
@fair adder you wanna come one ?
fair adder
@serene bay cant rn im busy fixing my pc so i can play league
serene bay
prioritiesπ€
fair adder
rn no prioprities cuz it died..
patent forge
@fair adder won for 5 points
you really could no nothing btw, i've patched the post call
ggs btw
fair adder
yes but when you got king i had the shell
i could have killed you instantly if i wanted to anyway
but gg π
serene bay
@patent forge up ?
patent forge
i could have killed you instantly if i wanted to anyway
@fair adder you can kill pts's instantly
i don't think you had a top open (you dont.)
patent forge
@serene bay glhf β€οΈ
patent forge
it's open
serene bay
internet trouble π©
patent forge
no way π
patent forge
there is no problems with machine.
imma leave you frustated me
@serene bay i got frustrated too when peole resets machines just for the ssh key on shrek...
serene bay
my internet's damn slow rn idk
lone gorge
who is zezuz ???*
bitter spire
Good Game
livid turret
patent forge
is there a no-bruteforce way in hackers?
sturdy plank
dm me if u want to get more @patent forge
fair adder
2 waiting in KoH
patent forge
public one in 19 mins https://tryhackme.com/games/koth/join/56b4e0226db45e9a99f00f1c
fair adder
can the windows box be last?
quiet schooner
they're ordered by the time of addition
@grand ember In reverse order
grand ember
π
nova tide
Remove Windows 
full grove
windows is malware
gusty cradle
π
abstract notch
sturdy plank
can developers of machines add new machine to it??
quiet schooner
What?
sturdy plank
nothing
patent forge
@quiet schooner @full grove Iβm working on a room, but I would be glad to work on a KOTH room too
Is that possible?
glossy vessel
KOTH boxes are usually made by special creators with an admin approval
So I guess, If you really want to make a KOTH box, it's better to catch some admin (Dark for example) in the general chat and ask him directly
sturdy plank
@sturdy plank You using my name in the koth ?
@inland sluice wat u mean??
inland sluice
Thats why i was asking if you stuck my name in the root flag file or something π
That + 3 king changes
nova tide
New KoTH machine when? 
Every month new machines will be added to the pool, this will help reduce the chances of playing the same machine repetitively.
gusty cradle
Soon or maybe soonβ’οΈ π€
tacit vale
If we get another KoTH machine before we get socks there is going to be anarchy in the streets.
nova tide
Others are not fun anymore π€·ββοΈ
Cryillic is busy i think π€π₯Ί
winged charm
Whaaaaat
fair adder
@patent forge whats up?
patent forge
@fair adder π
patent forge
@fair adder i'm not playing lol
patent forge
time to get root
fair adder
nononono
patent forge
have you changed the passwords?
patent forge
i think there might be one other password left unchanged
actually i'm pretty sure there is
fair adder
patent forge
wow @austere wyvern a reset should of course let you win!
gg for your competitivity and for not beeing able to check cron jobs before asking for a machine reset β€οΈ
fair adder
wdym
full grove
so that's something that needs to be addressed eventually and is 100% a valid concern
replayability it difficult to implement, especially in a KOTH-On-Demand esq service
and I'll toss that into ideas chat π
quiet schooner
naming machines give possibility to just "google <machine name>". Just don't give name to machine can be a first step
@fast oyster That's been brought up. You can identify what machine it is immediately on getting your nmap results, so it doesn't change much
I mean
You just have a super quick table
if this port is open, it's Food etc
terse willow
Bear in mind there are also people like Naughty or Donuts around
Who can likely identify them all at a glance of the results
vast perch
Is there any harm in trying a game of KoTH if I know I dont have much experience
Just to see how it is
quiet schooner
2 of the KoTH boxes are available as standalone rooms
So I'd recommend that first
quiet schooner
vast perch
Thank you!
patent forge
I don't get KoTH goals, name of the machine is written and all writeup are on the net. people just google, follow walkthrough and patch everything ?
@fast oyster the only available writeups for koths (at least that I know) are the @stiff egret βs, which tells you the easiest way of (at least) every machine
patent forge
The point of koth is getting better with tools and techniques which you already know, getting more comfortable with your setup, and learn Linux sysadmin techniques also by other players
Oh. @trim sand
quiet schooner
patent forge
I forgot about the hackers one, but this is the only one I knew
Also when I play I always try to find new ways in before using the one I already know
quiet schooner
Discord won't let me send a link that happens to have a channel name in, because it's broken. But the message above has a link that will show you the two rooms
patent forge
Yes I have to look for βkothβ in activities
Btw I got your point too
Sometimes is so annoying finding skiddies in KOTH
vagrant gull
@sudden condor gg
sudden condor
you too mate
dreamy wasp
@vagrant gull Ayyy
sudden condor
@sage kindle
sage kindle
hhahha
dreamy wasp
We're all in a Discord call hanging out
nova tide
We're all in a Discord call hanging out
@dreamy wasp where π
There is also a KOTH vc in this discord as well.
vagrant gull
Ok thought you meant privately
dreamy wasp
@nova tide We were in our own Discord call, thought we'd do a box with just the three of us and wound up joining this fella instead
Wanted to track him down on Discord for a gg message c:
Didn't know there was a koth vc, I joined the Discord about 2 minutes ago
nova tide
@nova tide We were in our own Discord call, thought we'd do a box with just the three of us and wound up joining this fella instead
@dreamy wasp oh the game where there were 4 australians playing tyler?? π€
vagrant gull
Yep
dreamy wasp
4 in total
nova tide
aah i just saw that game but i didn't knew any of them.. i was planning to ping someone to send me the invite link π